Posted by: David Harley | September 18, 2018

Krebs: commentary on global authentication via your wireless carrier

Brian Krebs: U.S. Mobile Giants Want to be Your Online Identity – “The four major U.S. wireless carriers today detailed a new initiative that may soon let Web sites eschew passwords and instead authenticate visitors by leveraging data elements unique to each customer’s phone and mobile subscriber account, such as location, customer reputation, and physical attributes of the device.” What could go wrong? Well, too much for the idea to appeal to Krebs, and I have to say I agree. These carriers have not covered themselves with glory so far as regards their own/their customers’ authentication.

David Harley

Posted by: David Harley | September 18, 2018

Flushing the Mac App store

Two instances of app removal from the Mac App Store. The first concerns a legitimate security vendor, but some of its tools have been removed after it was noted that they seemed to be collecting more data than they should have been.

Shaun Nichols for The Register: Trend Micro tools tossed from Apple’s Mac App Store after spewing fans’ browser histories – “While neither Apple nor Trend has responded to a request for comment on the matter, the removals are almost certainly a response to reports in recent days that the products appeared to covertly collect and upload private user data.”

Patrick Wardle: A Deceitful ‘Doctor’ in the Mac App Store – “a massively popular app, surreptitiously steals your browsing history”

Tomáš Foltýn for ESET: Apple yanks top grossing app from Mac App Store for grabbing private user data – “The several thousand glowing reviews that Adware Doctor had garnered prior to its removal were “likely fake”, researchers say”

David Harley

Posted by: David Harley | September 18, 2018

Smartphones that talk too much

Daniel Oberhaus for Motherboard: Researchers Used Sonar Signal From a Smartphone Speaker to Steal Unlock Passwords – “>Researchers at Lancaster University have used an active acoustic side-channel attack to steal smartphone passwords for the first time….“We expect iPhones are similarly vulnerable, but we only tested our attack on Androids,” Peng Cheng, a doctoral student at Lancaster University told me in an email.’ 

In brief, the idea is that the phone’s ‘acoustic signature’ can be used to determine the device users’ password when they unlock the phone.

Paper: SonarSnoop: Active Acoustic Side-Channel Attacks

Discussion on Bruce Schneier’s site: Using a Smartphone’s Microphone and Speakers to Eavesdrop on Passwords (it’s actually the comments that are, in some cases, worth reading).

Posted by: David Harley | September 18, 2018

Apple to make life easier for law enforcement

Danny Bradbury for Sophos: Apple’s new tool will make it easier for law enforcement to request data – “The company is seeking to streamline the way that it currently services information to government agencies with the new tool, which will be ready by the end of the year. It outlined the plans in a letter, from Apple’s general counsel Kate Adams to US Senator Sheldon Whitehouse of Rhode Island, according to a report from Reuters.”

There are, of course, many known instances of friction between Apple and US government agencies – notably the FBI – over getting access to devices owned by terrorists et al. It will be interesting to see how this plays out in that context. Reuters says that Apple “plans to create an online tool for police to formally request data about its users and to assemble a team to train police about what data can and cannot be obtained from the iPhone maker.”

David Harley

Posted by: David Harley | September 18, 2018

Android Issues

Lucian Constantin for Security Boulevard: New Android Botnet Pops Up on Malware-as-a-Service Market – “The toolkit, dubbed Black Rose Lucy by researchers from security firm Check Point Software Technologies, is made up of a back-end control panel dubbed the Lucy Loader and an Android implant called the Black Rose dropper. The malware was created by a team of Russian speaking developers that Check Point calls the Lucy Gang.”

Betanews: Unless you upgrade to Android Pie, a vulnerability leaves your phone trackable — and Google won’t fix it “The vulnerability (CVE-2018-9489) was revealed in a report from Nightwatch Cybersecurity which warns that it can be used to “uniquely identify and track any Android device” and also to “geolocate users”.”

Zeljka Zorz for Help Net: Scan reveals known open source vulnerabilities in popular Android apps – “Widespread use of unpatched open source code in popular Android apps is causing significant security vulnerabilities, warns the non-profit American Consumer Institute Center for Citizen Research (ACI)…. “Critical vulnerabilities were found in many common applications, including some of the most popular banking, event ticket purchasing and travel apps,” the researchers noted.”

David Harley

Older Posts »